Second breach

BA confirmed that a website compromise had gone undetected for months, and only came to light while it was investigating the breach of its website in September.

“Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft,” said the airline in a statement.

“The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV,” it said.

The potentially impacted customers were those who made reward bookings between 21 April and 28 July and who used a payment card.

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” said BA. “Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”

BA also said that the September hack had only affected 244,000 payment card details, and not the 380,000 as first thought.

“Crucially, we have had no verified cases of fraud,” said the airline. “We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”

Besides British Airways and Cathay Pacific, other airlines have also been compromised recently.

Expert reactions

BA’s admission was welcomed by some in the security sector, although some felt that the GDPR is playing a big part in pressuring organisations to be open and honest.

“On a positive note, the company publicly released the results of its investigation and the fact that additional customer details seem to have been compromised – which likely reflects a trend towards transparency as required under the GDPR,” said Matt Lock, director of sales engineers at Varonis.

“On the other hand, consumers who were told their information was safe are now learning several weeks on that they’ve been affected,” said Lock. “Is it really any surprise that consumer trust is lacking? With the GDPR in place, companies are navigating a new world of data privacy and disclosures.”

Another expert pointed out that it often takes a long time to find out the scale of a security breach.

“Investigations into security incidents can take a lot of time,” said Jason Rebholz, senior director of strategic partnerships at Gigamon. “It is important that organisations have as complete information as possible when they go public, otherwise they will face a backlash when they have to continually modify their statements. Until BA has completed its full investigation into the breach, it is unlikely we will know the full extent of impacted customers.”

Meanwhile a fellow expert said the admission should act as a wake up call for the industry.

“Organisations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost,” said Bill Conner, CEO SonicWall. “While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs.”

“The fact is, it is early days, and the true damage done is yet to be seen,” said Connor. “Personal information that does not change as easily as a credit card or bank account number drive a high price on the Dark Web. This kind of Personally Identifiable Information is highly sought after by cybercriminals for monetary gain. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.”

Another expert noted it had been a bad week for the airline industry.

“In what is rapidly becoming a bad week for international travellers following news of the Cathay Pacific breach, the fact that British Airways have now announced that a further 185,000 passengers may have been affected by a breach over a three-month period brings to the fore questions on how the travel and hospitality industry is effectively securing their network and customer data,” said Rusty Carter, VP of product management at Arxan Technologies.

“Whilst the gap in their security may have been plugged back in September, it is concerning that this incident, which went on for a considerably longer period of time than the previous two-weeks, has only now been uncovered as part of an ongoing investigation by the airline, cyber forensic investigators and the National Crime Agency,” said Carter.

“It demonstrates that enterprises still do not have in place robust enough security to protect their backend systems and databases, or the measures in place to identify these attacks in real time and cut them off as soon as abnormal activity is detected,” he said.